General Data Protection Regulation: From burden to opportunity

By Kalliopi Spyridaki, Chief Privacy Strategist, SAS Europe

It could have been the high price tag of noncompliance with the European Union (EU) General Data Protection Regulation (GDPR) that caught your attention. Or maybe it was the looming date by which businesses need to comply, or all the media noise about data privacy and protection.

These daunting aspects of GDPR are probably what gave you pause in the first place. But if you can set aside fears to embrace the multifaceted requirements of the GDPR, you may find that unique business opportunities await. Let’s take a look at what the General Data Protection Regulation means, who it affects, and how you can use it for a business advantage.

What is the GDPR?

The European Union has adopted the GDPR as new legislation to replace the 1995 European Data Protection Directive. The new EU General Data Protection Regulation significantly strengthens personal data protection by making every organization accountable. It defines personal data more broadly than the earlier directive, puts the individual at the center of data protection, strengthens enforcement and increases fines for noncompliance.

Several data privacy developments have created a lot of hype about the GDPR in recent years. One notable example is the invalidation of Safe Harbor, a mechanism enabling data transfers between the EU and the US that’s been replaced by the Privacy Shield. Confronted with a deadline of May 25, 2018, some organizations are getting downright nervous about complying with the General Data Protection Regulation. Especially considering that financial penalties for noncompliance range up to US$22 million or 4 percent of annual global turnover (whichever is greater).

Do you know how to build a solid data strategy?

In The 5 Essential Components of a Data Strategy, Evan Levy explains how to build a data strategy with realistic goals and measurable deliverables. Download the white paper

Who does the General Data Protection Regulation affect?

Make no mistake: Your organization is not exempt from GDPR requirements just because it’s not based in an EU country. This sweeping legislation applies globally for any organization that processes the personal data of individuals who live in the European Union. That could be an employee who lives in Germany but works for a company in New York. Or a customer from Ireland doing an online transaction with a California-based retailer.

A revised definition of personal data

Personal data, according to the General Data Protection Regulation, is any data that allows for the identification of an individual, directly or indirectly. A variety of factors that can identify a person – IP address or location data, for example – are now covered as a way to ensure personal data protection. It’s a very broad definition, and one that’s expected to expand over time.

What are the major changes of the GDPR legislation?

The new definition of personal data is indicative of the overall tone of the new legislation. Under the General Data Protection Regulation, personal data is considered a valuable asset. And requirements and obligations around it are tightening up considerably.

Let's take a look at four major changes to personal data protection that we’ll see with the new law.

More enforcement

With the new General Data Protection Regulation, law enforcement gets tougher. The data protection authorities will have more resources and powers and will come together in a new Pan-European body with binding opinions. Notably, just 10 years ago data privacy was a legal compliance issue that hardly made it to the top 10. Today it’s on top of the compliance agenda for companies of all sizes and across all sectors.

Greater accountability

The General Data Protection Regulation makes organizations accountable for personal data protection. They will have the burden of proof when it relates to whether, how and how well they protect personal data. This includes having security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur. In the future, data protection compliance becomes more about how well your business processes are organized than formally getting an authorization to process data. It pays to have someone – like a data protection officer – who understands data privacy and knows how to apply the law.

Depending on your processing activities, you may be required by the GDPR to have such a person in place. Beyond the legal requirements, it will be equally important to ensure this person understands the value of data as a strategic asset for the business. It will pay to have a data protection officer who can inspire change within the organization – not only for the sake of compliance, but also to embed personal data protection and data governance in general as essential business requirements.

Privacy by design

Privacy by design requires that all departments look closely at their data and how they handle it. So the first step for every organization will be a data flow mapping exercise that encompasses the entire business. Once you’ve identified where all the personal data is and exactly what you do with it, you have to secure it the right way. Looking at your data from a data privacy point of view – starting with product development and moving through the supply chain and to the customer – is the essence of the new data privacy law. Privacy by design also presupposes that there’s more transparency about data and data transfers.

Putting the individual first

Beyond compliance, the biggest change with the new legislation will be an overall shift in attitude toward privacy. The GDPR empowers individuals by placing them at the center of data protection. For example, the right to data portability means that it should be seamless for customers to change service providers and move all of their data to the new provider. What’s more, the GDPR enhances a consumer’s right to ask a company to delete their personal information by foreseeing that the customer will have the “right to be forgotten.”

The General Data Protection Regulation makes organizations accountable for personal data protection. They will have the burden of proof when it relates to whether, how and how well they protect personal data.

Kalliopi Spyridaki • Chief Privacy Strategist, SAS Europe

Four ways to use the GDPR as a business differentiator

If you take a step back to look at the sweeping GDPR changes, it’s clear that the rules are tighter and more challenging now – but the basic principles are the same as those we've had for many years. In that sense, for many companies the General Data Protection Regulation will be more about reviewing compliance procedures than building something from scratch. Whatever that entails for your company, the GDPR brings with it many new opportunities that can help your organization thrive.

Innovation

Companies that are inspired to use the GDPR as an inducement for innovation could be rewarded by getting ahead of their competitors in a new market sparked by GDPR requirements. Consider developing new services or products to guarantee customers that their personal data is safely handled and stored. Take, for example, initiatives like personal data vaults. These cloud-based apps allow individuals to store personal data and enable them to control access permission.

You could also think of innovative ways to use data without violating privacy laws. One interesting example is a company that offers a next-generation people counter to help retailers understand customers without collecting personal data. The solution is a smart floor that gathers images of people’s footwear to analyze footsteps. The images, in combination with multiple layers of machine learning and artificial intelligence, enable the system to automatically count people. What’s more surprising: The system can intelligently categorize people’s demographics based on the shoes they wear and their walking patterns. It can even determine reactions to store displays.

Transparency = trust

Getting privacy right is a competitive advantage. We’re all more likely to trust a service provider who values our privacy (beyond mere legal compliance) and is transparent about how our data is used. The GDPR requirements open the door for you to review policies about what you tell customers regarding how their data is collected and processed. This transparency will lead to deeper trust and more loyal customers.

We learned a lesson about how not to do this from a large Dutch bank. A few years ago, it announced the launch of a big data project where it would use customer data for targeted advertising. The bank properly informed customers about the project, but failed to show the value of it. Another downside: The customers couldn’t choose whether they wanted to be part of this project or not. It backfired on the bank – and after lots of negative feedback and press coverage they decided to withdraw the project.

Consumer empowerment

The new data protection regulation places consumers in the driver’s seat. By going along for the ride – wholeheartedly – customers will recognize you as a privacy champion.

The GDPR reinforces existing consumer rights and introduces certain new rights. Moreover, the individual’s consent is elevated to be the main legal basis for the processing of personal data. This empowerment of individuals to decide whether and how their personal data should be processed is causing quite a few headaches. It’s challenging to design or review privacy compliance programs with the goal of ensuring that all the rights foreseen in the GDPR for individuals can be satisfactorily exercised.

With the GDPR, privacy will create a culture shift for businesses. But it’s a strategic issue as well. By empowering your customer, you’re also empowering your business in a competitive marketplace.

Data strategy for how to manage and govern data

Personal data protection should now become a data strategy issue. To comply, you need to have solid data management and data governance policies in place. The General Data Protection Regulation gives you the opportunity to holistically reassess these policies – for all your data, not just personal data. This is a valuable undertaking and a way to gain business benefits from an expensive and extensive legal compliance project.

Data is your organization’s most important asset, and it’s constantly growing. Putting robust policies in place now will not only help you comply – it will help you reap the full benefits of your data in the best way possible.

General Data Protection Regulation: Go beyond compliance

Changing your perspective to think of the General Data Protection Regulation as an opportunity, not a burden, will not happen overnight. But it’s smart to be proactive. Doing so will also prepare you for EU laws on data that may follow; for instance, on data localization, privacy and confidentiality of communications, and data ownership. It will give you a chance to get it right when it comes to balancing your need to understand customers with their need for privacy. It’s the perfect time to get a deeper understanding of all your company’s data and create a comprehensive data strategy that will carry you confidently to May 2018 and well beyond.

EU personal data protection (GDPR) – What is it all about?

Listen as Casper Pedersen, a global expert on data management and GDPR, explains why this new regulation is so important and what the consequences are for businesses.

About the author

Kalliopi Spyridaki is Chief Privacy Strategist for SAS Europe. She joined SAS in 2007. In her role, Spyridaki provides thought leadership to SAS and its customers on data protection and privacy issues. She strives to bridge the gap between public policy, legal and business considerations to ensure that both SAS and its customers remain at the forefront of the rapidly evolving European privacy landscape. Before joining SAS, she had various positions in public affairs consultancy, a European trade association, European and Greek law firms, the European Commission and the Greek Ministry of Foreign Affairs. She has a law degree from the University of Athens, Greece, and has been a member of the Athens Bar Association since 2003.